Support Flash Alert: iOS 12 native Mail app authentication issue with session based authenticaiton
Daniel Nashed – 19 September 2018 05:54:50
There is a support flash for an issue with iOS 12 with the native mail app.
Before this change in iOS 12 a wrong configuration did not impact the user for normal operations. There have been only issues when the password was changed.
Mobile devices cannot handle forms based authentication. If you configure session based authentication or multi server session based authentication the server will not use the basic authentication headers.
On the other side the recommended authentication on a Domino HTTP server and also on a Traveler server is multi-server session based authentication with LTPA cookies (from security and performance point of view).
For mobile devices connecting to Traveler you have to ensure basic authentication headers are used because mobile devices do not understand the forms-based authentication for sync requests (they do in the web browsers).
Enabling basic authentication headers in combination with multi-server session based authentication is only possible if you use the more modern HTTP configuration leveraging "Internet Sites".
Using an Internet Site you can override session based authentication for the /traveler URL by configuring a Authentication override rule.
If the server has auto configuration enabled, the required documents will be created automatically if Internet Sites are used for the server.
So the right configuration would be either with no Internet Sites and basic authentication.
Or with Multi-Server Session based Authentication and Internet Sites with the Overwrite Authentication rule -- which is the recommended configuration even on a stand-alone Traveler server!
This isn't a new requirement and the wrong configuration already caused issues when an user's HTTP password changed. In that case the mobile device wasn't able to figure out that the password was wrong.
The server did send the form with a 200 status code instead of the authentication challenge with a 401. That wasn't understood by the mobile device.
It worked by coincident because the client sent the basic authentication header anyway.
Here is an example how your internet site should look like.
There is one
Site name
Web Site: Nash!Com Traveler Website (domino.acme.de; 1.2.3.4)
Rule (Override Session authentication): /traveler*
Rule (substitution): /Microsoft-Server-ActiveSync* --> /traveler/Microsoft-Server-ActiveSync*
Rule (substitution): /servlet/traveler* --> /traveler*
There is one additional setting that it required.
In the internet site you have to ensure that once the user is authenticated with basic authentication for the Traveler URL the user still gets a LTPA cookie:
When overriding session authentication, generate session cookie: Yes
Here is the link to the new technote:
https://www.ibm.com/support/docview.wss?uid=ibm10731987
Which also contains a link to the documentation how to properly configure the Domino HTTP task on your Traveler Server
https://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/httpauthentication.html
-- Daniel
- Comments [5]
1Rene 19.09.2018 11:40:00 Support Flash Alert: iOS 12 native Mail app authentication issue with session based authenticaiton
Thanks Daniel - you are the best.. A real champ
2Vladimir 20.09.2018 9:16:52 Support Flash Alert: iOS 12 native Mail app authentication issue with session based authenticaiton
Thank you! Very interesting topic.
3Vladimir 21.09.2018 13:24:01 Support Flash Alert: iOS 12 native Mail app authentication issue with session based authenticaiton
I've loaded internet sites for my traveler server and created rules: Override Session Authentication as was discribed. But I still see form of authentification :E
4Vladimir 24.09.2018 7:50:18 Support Flash Alert: iOS 12 native Mail app authentication issue with session based authenticaiton
I had to restart whole domino server to apply changes. Restarting only HTTP is not sufficient.
5Charly 09.10.2018 13:55:35 Support Flash Alert: iOS 12 native Mail app authentication issue with session based authenticaiton
the results are very contrasted with Traveler :
1- incoming mails / calendar entries = OK
2- impossible to send mail / calendar entries
(tested with iPhone 7 and 5S with iOS 12.0)